github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/README.md (about) 1 [![GitHub Release][release-img]][release] 2 [![Downloads][download]][release] 3 [![Docker Pulls][docker-pull]][docker] 4 [![Go Report Card][report-card-img]][report-card] 5 [![Build Status](https://github.com/khulnasoft-lab/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/khulnasoft-lab/kube-bench/actions) 6 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/khulnasoft-lab/kube-bench/blob/main/LICENSE) 7 [![Coverage Status][cov-img]][cov] 8 9 [download]: https://img.shields.io/github/downloads/khulnasoft-lab/kube-bench/total?logo=github 10 [release-img]: https://img.shields.io/github/release/khulnasoft-lab/kube-bench.svg?logo=github 11 [release]: https://github.com/khulnasoft-lab/kube-bench/releases 12 [docker-pull]: https://img.shields.io/docker/pulls/khulnasoft/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench 13 [docker]: https://hub.docker.com/r/khulnasoft/kube-bench 14 [cov-img]: https://codecov.io/github/khulnasoft-lab/kube-bench/branch/main/graph/badge.svg 15 [cov]: https://codecov.io/github/khulnasoft-lab/kube-bench 16 [report-card-img]: https://goreportcard.com/badge/github.com/khulnasoft-lab/kube-bench 17 [report-card]: https://goreportcard.com/report/github.com/khulnasoft-lab/kube-bench 18 19 <img src="docs/images/kube-bench.png" width="200" alt="kube-bench logo"> 20 21 kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). 22 23 Tests are configured with YAML files, making this tool easy to update as test specifications evolve. 24 25 ![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security") 26 27 ## CIS Scanning as part of Tunnel and the Tunnel Operator 28 29 [Tunnel](https://github.com/khulnasoft/tunnel), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/khulnasoft/tunnel-operator) inside a cluster. 30 Both, the [Tunnel CLI](https://github.com/khulnasoft/tunnel), and the [Tunnel Operator](https://github.com/khulnasoft/tunnel-operator) support CIS Kubernetes Benchmark scanning among several other features. 31 32 ## Quick start 33 34 There are multiple ways to run kube-bench. 35 You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. 36 37 The supplied `job.yaml` [file](job.yaml) can be applied to run the tests as a job. For example: 38 39 ```bash 40 $ kubectl apply -f job.yaml 41 job.batch/kube-bench created 42 43 $ kubectl get pods 44 NAME READY STATUS RESTARTS AGE 45 kube-bench-j76s9 0/1 ContainerCreating 0 3s 46 47 # Wait for a few seconds for the job to complete 48 $ kubectl get pods 49 NAME READY STATUS RESTARTS AGE 50 kube-bench-j76s9 0/1 Completed 0 11s 51 52 # The results are held in the pod's logs 53 kubectl logs kube-bench-j76s9 54 [INFO] 1 Master Node Security Configuration 55 [INFO] 1.1 API Server 56 ... 57 ``` 58 For more information and different ways to run kube-bench see [documentation](docs/running.md) 59 ### Please Note 60 61 1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org). 62 63 1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](docs/platforms.md#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark. 64 65 66 By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine. 67 - see the following documentation on [Running kube-bench](docs/running.md#running-kube-bench) for more details. 68 69 70 ## Contributing 71 Kindly read [Contributing](CONTRIBUTING.md) before contributing. 72 We welcome PRs and issue reports. 73 74 ## Roadmap 75 76 Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.